On 2017-01-03 14:31, Tom H wrote:
> On Tue, Jan 3, 2017 at 3:11 PM, jdow <[log in to unmask]> wrote:
>> On 2017-01-03 09:56, David Sommerseth wrote:
>>>
>>> Remember that firewalld provides an API over D-Bus for dynamic
>>> firewall updates, so this is kind of to "seal" the configuration
>>> without breaking any component depending on manipulating the firewall
>>> as the system is running. NetworkManager and libvirt are two
>>> components which adjusts the firewall on-the-fly, depending on which
>>> network you're connected to or which VMs have been started, and so on.
>>
>> That still leaves me mumbling and led me down a midget rabbit hole.
>> The "iptables" command is 777 root root system_u:object_r:bin_t:s0;
>> but, that's OK. It's a link - to xtables-multi, which is rwxr-xr-x.
>> root root system_u:object_r:iptables_exec_t:s0. Waitaminit says I to
>> meself. (or is it me to iself? Whatever) Let's give that a try.... The
>> results are reassuring:
>> ===8<---
>> [jdow@whereever ~]$ xtables-multi iptables -L -v
>> iptables v1.4.21: can't initialize iptables table `filter': Permission
>> denied (you must be root)
>> Perhaps iptables or your kernel needs to be upgraded.
>> ===8<---
>> I guess the ancient philosophy of one task one command is passe' and
>> now a monstrosity like xtables-multi finds itself masquerading as
>> iptables and about a dozen other things.
>
> /usr/sbin/iptables-restore
> /usr/sbin/iptables-save
> /usr/sbin/iptables
> /usr/sbin/ip6tables-restore
> /usr/sbin/ip6tables-save
> /usr/sbin/ip6tables
Notice the command I issued. I started, of course, with something like
xtables-multi -L -v as a first approximation. It coughed up a list of some 14
different things it can be called as. That was not reassuring since I called it
as a user rather than root. Then I tried the command listed. If failed but the
message was informative enough. I, of course, escalated to prepending "sudo " to
the command, giving my password as usual, and admired the results.
> are symlinks to "/usr/sbin/xtables-multi" because it's a multi-call
> binary, like busybox.
I was simply bemused that the old UNIX philosophy of one small task one command
with results chained into the next command ad nauseum has finally been
discovered to be silly and furthermore good sense is catching on past busybox.
(I have the same attitude about "goto". (And despite dogma even at UniSys many
see Dijkstra's pontification on the subject as flawed er and harmful. I live
with one such.) {^_-}
> There are others.
>
> Off the top of my head, dnsdomainname, domainname, nisdomainname,
> ypdomainname are symlinks to hostname; halt, poweroff, reboot,
> shutdown are symlinks to systemctl; view is a symlink to vi; etc.
I hadn't dug that far. But, again, it makes sense in a weird sort of way. It is
really an ultimate reuse of code, right? {^_-}
> It's normal for "iptables" to fail if you call it as jdow; but if you
> have polkit installed, "pkexec iptables" might work (depending on your
> polkit policies; "sudo ..." and "su -c ..." will work if you're
> authorized).
But of course. I've been using sudo for a very long time. (I don't remember if I
did it with the real SVR4 machine I had. But certainly I've been using it from
the first RH 5 or so - not RHEL or Fedora, Hurricane if my memory works tonight.
If sudo didn't work I'd have made a scene about it, probably.
{^_^}
|